Structuring data and pre-compiled exception list engines and internet protocol threat prevention

ABSTRACT

Blocking high-risk IP connections in real-time while allowing tailoring of an acceptable risk profile to match the security requirements of network resources. By acquiring IP threat information about IP addresses, traffic from IP addresses posing unacceptable levels of risk is blocked. A computer executed method is disclosed for sorting a plurality of internet protocol (IP) addresses. The method includes dividing the range of IP addresses into a plurality of clusters representing a plurality of contiguous sub-ranges, assigning each IP address to the cluster associated with the sub-range that includes that IP address, and assigning the IP addresses in each cluster to one of a plurality of pages. A network appliance incorporating aspects of the method is also disclosed.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.15/481,030, filed Apr. 6, 2017, which is a continuation-in-part of U.S.patent application Ser. No. 14/963,490, filed Dec. 9, 2015, which is acontinuation of U.S. patent application Ser. No. 13/855,510, filed Apr.2, 2013, now U.S. Pat. No. 9,225,593, which is a divisional of U.S.application Ser. No. 12/509,957, filed Jul. 27, 2009, now U.S. Pat. No.8,468,220, which claims the benefit of U.S. Provisional Application No.61/171,176, filed on Apr. 21, 2009. U.S. patent application Ser. No.15/481,030, filed Apr. 6, 2017 is also a continuation-in-part of U.S.patent application Ser. No. 15/155,853, filed May 16, 2016, which is acontinuation of U.S. patent application Ser. No. 14/208,998, filed Mar.13, 2014, now U.S. Pat. No. 9,342,691, which claims the benefit of U.S.Provisional Application Ser. No. 61/782,669, filed Mar. 14, 2013. Theentire disclosures of the above-referenced applications are incorporatedherein by reference for all purposes.

TECHNICAL FIELD

The present disclosure generally relates to network security, methods ofstructuring data for high speed searching, pre-compiled exception listengines incorporating such structured data and network appliancesincluding such engines.

BACKGROUND

This section provides background information related to the presentdisclosure which is not necessarily prior art.

There are various known methods of structuring a set of data elementsand of searching the set of data elements to locate a desired element.The data elements may be left unstructured or may be structuredaccording to some principle, such as numerically, alphabetically, etc.The data set may, for example, be searched linearly by looking at eachitem in the set in order or by using a binary search, which repeatedlydivides the set in half and determines whether the desired element isabove, below or equal to the dividing point of the set.

As the number of elements in a data set increases, many known methods ofstructuring and/or searching the data set become cumbersome. Suchmethods may become slower, require more processor power, and/or memory.

Computing devices connected to the Internet face constant securityrisks. Computer services connected to the Internet, especiallypublic-facing services, face attacks designed to deprive access to theresource (i.e., denial of service), disrupt access to the resource(e.g., to make political statements), or provide illegal access to theresource (e.g., for monetary reasons). Internet-connected devices insidethe firewall of a protected network are at risk when communicating withresources outside the firewall. These devices inside the firewall maybecome infected with malware that attempts to enlist them in a bot-netor that attempts to send personal and/or financial information tounauthorized entities on the Internet.

At one time, adding access rules into a firewall to restrict inbound oroutbound Internet connections addressed this problem. However, today'shackers and cyber-criminals are much more sophisticated and are able tohide their identities by connecting through proxies, anonymizers, andcomputers that have been enlisted into a bot-net controlled by theattacker. Simply blocking an Internet Protocol (IP) address isinsufficient to prevent attacks because the IP addresses used byattackers can change daily, hourly, and sometimes even more frequently.Further, having only two options (i.e., blocked or not blocked) does notprovide adequate flexibility for assessing threats. And creatingexceptions is manually intensive.

An Internet Risk Intelligence Provider (IRIP) is an entity that monitorsInternet network nodes for signs of malicious activity and providesaccess to its findings. Upon detecting possibly malicious activity, anIRIP adds the IP address associated with the activity to a downloadablelist or a real-time feed. Along with the IP address, the IRIP includesthe risk category of the potential risk and a confidence score, whichindicates the probability that the detected IP address is actually arisk. A typical IRIP is capable of monitoring millions of IP addressesand, thus, a typical list of IP addresses may number in the millions.Unfortunately, conventional firewalls and routers normally used to stophigh-risk IP addresses from connecting into or out of a network arecapable of blocking only a small percentage of the IP addresses. (e.g.,10,000 up to 100,000 IP addresses). In addition to the disadvantagesdescribed above, firewalls and routers also require the access rulesthat determine which IP addresses will be blocked (i.e., risk blocking)to be constantly updated in real-time as the threat environment changes.What is needed is a practical way to block high-risk IP connections inreal-time while allowing users to tailor their acceptable risk profilesto match the security requirements of their network resources.

SUMMARY

According to one aspect of the present disclosure, a computer executedmethod is disclosed for sorting a plurality of Internet protocol (IP)addresses, each of which has a numeric value within a range of numericvalues. The method includes dividing the range into a plurality ofclusters representing a plurality of contiguous sub-ranges. Eachsub-range encompasses substantially the same number of numeric values ofthe range and each sub-range associated with a different cluster. Themethod also includes assigning each IP address to the cluster associatedwith the sub-range that includes the numeric value of that IP address.Each cluster has a cluster size defined by the number of IP addressesassigned to that cluster. The IP addresses in each cluster are assignedto one of a plurality of pages. Each page has a page size limit definingthe maximum number of IP addresses that can be assigned to that page.Each page has a page size defined by the number of IP addresses assignedto that page. If one of the pages has a page size less than its pagesize limit, the method includes duplicating on that page at least one ofthe IP addresses assigned to that page to increase the page size of thatpage. For each page, the IP addresses assigned to that page are orderedby numeric value.

According to another aspect of the present disclosure, a computerexecuted method is disclosed for sorting a plurality of internetprotocol (IP) addresses, each of which has a numeric value within arange of numeric values. The method includes dividing the range into aplurality of clusters representing a plurality of contiguous sub-ranges.Each sub-range encompasses substantially the same number of numericvalues of the range and each sub-range associated with a differentcluster. The method also includes assigning each IP address to thecluster associated with the sub-range that includes the numeric value ofthat IP address. Each cluster has a cluster size defined by the numberof IP addresses assigned to that cluster. The method includes orderingthe clusters by cluster size. The IP addresses in each cluster areassigned to one of a plurality of pages. Each page has a same page sizelimit defining the maximum number of IP addresses that can be assignedto that page. Each page has a page size defined by the number of IPaddresses assigned to that page. If one or more of said pages has a pagesize less than its page size limit, the method includes duplicating onsaid page one or more of the IP addresses assigned to that page toincrease the page size of said page to its page size limit. For eachpage, the IP addresses assigned to that page are ordered by numericvalue.

According to yet another aspect of the present disclosure a networkappliance for connection to a first network is disclosed. The applianceincludes at least one input coupled to the first network for receiving apacket from the first network. The packet includes an internet protocol(IP) address. The appliance also includes at least one processor fordetermining whether to allow the packet from the first network toproceed and at least one memory device storing instructions and data.The data includes a plurality of pages storing a plurality of exceptedIP addresses. The excepted IP addresses each has a numeric value withina range. The range is divided into a plurality of contiguous sub-rangesand each page includes one or more of the excepted IP addresses havingnumeric values within one or more of the sub-ranges associated with thatpage. Each page has a page size defined by the number of IP addressesassigned to that page. The excepted IP addresses are assigned to eachpage ordered by numeric value. The at least one processor is configuredvia the instructions to identify the IP address of the packet from thefirst network, identify a target page that will include the IP addressif the IP address is one of the plurality of excepted IP addresses,search the target page to determine if the IP address is one of theexcepted IP addresses in the target page, and process the packet fromthe first network according to whether the IP address is an excepted IPaddress in the target page.

According to another aspect of the present application, a networkappliance for connection to a first network includes at least one inputcoupled to the first network for receiving a packet from the firstnetwork. The packet includes an internet protocol (IP) address. Theappliance includes at least one processor for determining whether toallow the packet from the first network to enter the second network andat least one memory device. The appliance also includes a first enginestored in the memory device. The first engine includes a plurality ofpages storing a plurality of excepted IP addresses. The excepted IPaddresses each has a numeric value within a range of numeric values andthe range is divided into a plurality of contiguous sub-ranges. Eachpage includes one or more of the excepted IP addresses having numericvalues within one or more of the sub-ranges associated with that page.Each page has a page size defined by the number of excepted IP addressesassigned to that page. The excepted IP addresses are assigned to eachpage ordered by numeric value. The first engine also includes a firstfinite state machine (FSM). The first FSM includes instructionsexecutable by the processor to determine the page associated with thesub-range encompassing the IP address and output an indication of thepage associated with the sub-range encompassing the IP address. Theengine also includes instructions executable by the processor to searchthe page associated with the sub-range encompassing the IP address todetermine if the IP address is an excepted IP address, and output anindication of whether the IP address is an excepted IP address. Theprocessor is also configured via instructions stored in the memorydevice to process the packet from the first network according to theindication from the first engine.

Briefly, aspects of the invention permit blocking high-risk IPconnections in real-time while allowing users to tailor their acceptablerisk profiles to match the security requirements of their networkresources. IP threat information is acquired from one or more providersvia a feed (e.g., based on eXtensible Markup Language (XML) orJavaScript Object Notation (JSON)). The information includes, forexample, an IP address, a named risk category, and a confidence levelthat the listed IP address is actually a threat within the namedcategory. Advantageously, the category names from each provider aremapped into a set of common category names to resolve potential namingconflicts. An aggregate risk score based on the individual risk scorestakes into account confidence levels assigned by IRIPs, the number oftimes an IP address has been listed as high-risk over a predefined timeinterval, and the time interval since the last time the IP address waslisted. In addition, weighting the scores from the IRIP data improvesthreat assessment.

In an aspect, a computer-implemented method of assessing a riskassociated with an IP address for a risk category comprises storing aplurality of threat information in a memory device. The threatinformation includes the IP address, a risk category associated with theIP address, and a risk confidence level associated with the IP address.In addition, the method comprises storing a risk category acceptancelevel in the memory device and determining a risk category valueassociated with the IP address. According to the method, the riskcategory value is determined as a function of the risk confidence level,a number of instances the risk confidence level has exceeded the riskcategory acceptance level during a first time interval, and a secondtime interval representing the elapsed time since the risk confidencelevel previously exceeded the risk category acceptance level. The methodfurther comprises storing the risk category value in the memory deviceand rendering a decision as to the threat associated with the IP addressfor the risk category as a function of the risk category value and therisk category acceptance level.

In another aspect, a processor-implemented method of determining anaggregate risk score for a plurality of IP address comprises receiving aplurality of IP addresses from one or more IRIPs for a particularcategory via a computer communications network. In addition, the methodincludes determining source characteristics for each of the received IPaddresses, and assigning weighting factors to the sourcecharacteristics, and mathematically transforming the weighted sourcecharacteristics to adjust a risk confidence level for each of thereceived IP addresses. The method further comprises determining anaggregate risk score for the IP addresses based on the adjustedconfidence levels for the IP addresses and allowing traffic from each ofthe IP addresses having an aggregate risk score below an acceptablelevel of risk.

In yet another aspect, a system for determining risk for a plurality ofIP addresses received in real-time from a plurality of sources comprisesa memory for storing a plurality of IP addresses and a date and a time,an assigned risk category, and a confidence level for each IP address. Agraphical user interface displays a plurality of categories associatedwith each IP address and accepts input, including an acceptable risklevel for each of the plurality of categories, from a user. The systemalso includes a computer processor for executing computer-executableinstructions for receiving a plurality of IP addresses from one or moreIRIPs for a particular category, determining if the one or more receivedIP addresses are associated with more than one category, determiningsource characteristics for each of the received IP addresses for acategory, assigning a weighting factor to each of the sourcecharacteristics for each category, adjusting a confidence level for eachof the received IP addresses by using a mathematical transform based onthe weighting factors for each category, determining an aggregate riskscore for all the IP addresses based on the adjusted confidence levels,receiving an acceptable risk level from a user for each category,comparing the aggregate risk score with the received acceptable risklevel from the user, and allowing any IP addresses having an aggregaterisk score below the acceptable risk level to pass through the network'sfirewall.

In yet another aspect, a computer network firewall system comprises atleast one tangible, non-transitory a computer-readable medium storingprocessor-executable instructions. A threat assessment processor isprogrammed to execute the instructions. And, when executed by theprocessor, the instructions store a plurality of threat information onthe computer-readable medium. The threat information includes an IPaddress, a risk category associated with the IP address, and a riskconfidence level associated with the IP address. In addition, theexecuted instructions store a risk acceptance level and determine a riskvalue associated with the IP address as a function of the riskconfidence level, a number of instances the risk confidence level hasexceeded a threshold level during a first time interval, and a secondtime interval representing the elapsed time since the risk confidencelevel previously exceeded the threshold level. The executed instructionfurther compare the risk value with the risk acceptance level and blockcomputer network communications with a computing device associated withthe IP address when the risk value is greater than or equal to the riskacceptance level.

Other objects and features will be in part apparent and in part pointedout hereinafter.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a flow chart illustrating a computer executed method forsorting a plurality of IP addresses according to one aspect of thepresent disclosure.

FIG. 2 is a block illustration of dividing a range of IP addresses intoa plurality of clusters each having a sub-range of the range.

FIG. 3 is a flow diagram illustrating one embodiment of assigning aplurality of IP addresses to a plurality of clusters.

FIG. 4 is a flow diagram illustrating one embodiment of assigning IPaddresses from clusters to pages according to a first fit algorithm.

FIG. 5 is a flow diagram illustrating one embodiment of assigning IPaddresses from clusters to pages according to a best fit algorithm.

FIG. 6 is a flow diagram illustrating one embodiment of searching todetermine if an IP address is one of a plurality of IP addressesassigned to pages according to the present disclosure.

FIG. 7 is a graphical representation of an example application of amethod for sorting a plurality of IP addresses.

FIG. 8 is a network appliance for connection between two networks andincorporating aspects of the methods disclosed herein.

FIG. 9 is a diagram of an exemplary threat assessment process inaccordance with an embodiment of the invention.

FIG. 10 further illustrates an exemplary weighting process for multipleIRIP characteristics of FIG. 9.

FIG. 11 further illustrates an exemplary weighting process for sourceand/or destination characteristics of FIG. 9.

FIG. 12 further illustrates an exemplary weighting process fororiginating country characteristics of FIG. 9.

FIG. 13 further illustrates an exemplary weighting process fororiginating ISP characteristics of FIG. 9.

FIG. 14 further illustrates an exemplary weighting process for temporalcharacteristics of FIG. 9.

FIG. 15 further illustrates an exemplary weighting process for multiplecategory characteristics of FIG. 9.

FIGS. 16A-16B is a diagram of an exemplary aggregation process inaccordance with an embodiment of the invention.

FIGS. 17-20 are screenshots of an exemplary user interface in accordancewith an embodiment of the invention.

Corresponding reference characters indicate corresponding partsthroughout the drawings.

DETAILED DESCRIPTION

Methods of Structuring Data, Pre-Compiled Exception List Engines, andNetwork Appliances

Example embodiments will now be described more fully with reference tothe accompanying drawings.

Example embodiments are provided so that this disclosure will bethorough, and will fully convey the scope to those who are skilled inthe art. Numerous specific details are set forth such as examples ofspecific components, devices, and methods, to provide a thoroughunderstanding of embodiments of the present disclosure. It will beapparent to those skilled in the art that specific details need not beemployed, that example embodiments may be embodied in many differentforms and that neither should be construed to limit the scope of thedisclosure. In some example embodiments, well-known processes,well-known device structures, and well-known technologies are notdescribed in detail.

The terminology used herein is for the purpose of describing particularexample embodiments only and is not intended to be limiting. As usedherein, the singular forms “a”, “an” and “the” may be intended toinclude the plural forms as well, unless the context clearly indicatesotherwise. The terms “comprises,” “comprising,” “including,” and“having,” are inclusive and therefore specify the presence of statedfeatures, integers, steps, operations, elements, and/or components, butdo not preclude the presence or addition of one or more other features,integers, steps, operations, elements, components, and/or groupsthereof. As used herein, the term “and/or” includes any and allcombinations of one or more of the associated listed items. The methodsteps, processes, and operations described herein are not to beconstrued as necessarily requiring their performance in the particularorder discussed or illustrated, unless specifically identified as anorder of performance. It is also to be understood that additional oralternative steps may be employed.

According to one aspect of the present disclosure, a method, generallyindicated by the reference numeral 100 in FIG. 1, is disclosed forsorting a plurality of internet protocol (IP) addresses, each of whichhas a numeric value within a range of numeric values. The methodincludes, at 102, dividing the range into a plurality of clustersrepresenting a plurality of contiguous sub-ranges. Each sub-rangeencompasses substantially the same number of numeric values of the rangeand each sub-range associated with a different cluster. The method alsoincludes, at 104, assigning each IP address to the cluster associatedwith the sub-range that includes the numeric value of that IP address.Each cluster has a cluster size defined by the number of IP addressesassigned to that cluster. At 106, the IP addresses in each cluster areassigned to one of a plurality of pages. Each page has a page size limitdefining the maximum number of IP addresses that can be assigned to thatpage. Each page has a page size defined by the number of IP addressesassigned to that page. At 108, if one of the pages has a page size lessthan its page size limit, the method includes duplicating on that pageat least one of the IP addresses assigned to that page to increase thepage size of that page. For each page, the IP addresses assigned to thatpage are ordered at 110 by numeric value.

IP addresses are numerical identifiers of devices in a network. Each IPaddress typically has a numerical value and is stored as a binarynumber. There are multiple IP addresses versions, such as IPv4 and IPv6.IPv4 addresses are 32 bit numbers, while IPv6 addresses are 128 bitnumbers. IPv4 addresses are often represented in human friendly decimalnotation as four three digit numbers separated by decimal points (e.g.000.000.000.000). Extra leading zeros are sometimes removed from thedecimal notation, but are included above for explanatory purposes. Eachof the numbers is actually represented by eight bits. An eight bitnumber can represent decimal numbers between 0 and 255). Thus, each ofthe four numbers of the IP address may be between 0 and 255. The methoddisclosed herein is not version specific and may be used with anyversion of IP addresses. The size of the range encompassing a set of allIP addresses is determined by the bit size of that version's IPaddresses. For example IPv4 addresses are 32 bits long resulting in arange of 2^32 possible IP addresses. Similarly, the range of IPv6addresses is 2^128 possible IP addresses. The range of the IP addressesaccording to the method disclosed herein may be the range of allpossible IP addresses (e.g., 0 to 2^32−1 for IPv4 addresses) or anyappropriate subset of all possible IP addresses.

Whatever the range, the method includes dividing the range into aplurality of clusters representing a plurality of contiguous sub-ranges,an example of which is shown in FIG. 2, and assigning each IP address tothe cluster associated with the sub-range that includes the numericvalue of that IP address. Each of the clusters has cluster size definedby the number of IP addresses assigned to that cluster. The size of thesub-ranges is the number of IP addresses that could be placed in thecluster. In FIG. 2, for example a plurality of IP addresses 200 having arange between 0 and 31, inclusive is divided into four clusters 202,204, 206 and 208. Each cluster 202, 204, 206, 208 has a sub-range sizeof eight possible IP addresses. The size of a cluster 202, 204, 206 or208 depends on how many IP addresses from the plurality of IP addresses200 are encompassed by the sub-range of that cluster 202, 204, 206 or208. A cluster is simply a set. Numerous possible implementations ofclusters are possible. According to some embodiments the clusters areimplemented by a map, an array, a list, a hash table, etc. According toat least one embodiment, the clusters are managed and/or searched usinga Standard Template Library (STL) list.

The plurality of contiguous sub-ranges may be determined in numerousdifferent ways. As will be explained more fully below, after theclusters have been populated with the IP addresses from the plurality ofIP addresses, the IP addresses will be assigned to pages by cluster.Each page may have a page size limit, also known as a maximum size, thatmay be expressed in terms of a number of IP addresses or a bit size.Although page sizes, cluster sizes, and page size limits will bediscussed herein in terms of number of IP addresses, it should beunderstood that bit sizes may be interchangeably used. For example, apage size limit of one IP address is the same as a page size limit of 32bits for IPv4 addresses or 128 bits for IPv6 addresses). Because of thepage size limit, each cluster may have no more IP addresses assigned toit than the page size limit. One technique for determining the pluralityof sub-ranges is to assign each sub-range the same number of numericvalues, where the number of numeric values is equal to the page sizelimit. With such a division, no cluster could include more IP addressesthan the page size limit. This way of dividing the range will work withany number of IP addresses, with any range of IP addresses, and with anydistribution of IP addresses. However, such a division results in a verylarge number of clusters. Additionally, as the plurality of IP addressesmay be widely spread over the range and may not be linearly distributedover the range. Thus there may be many clusters with no IP addresses inthose clusters sub-ranges.

Accordingly, in some embodiments, the range may be divided into as fewclusters as possible while still avoiding any cluster having a clustersize greater than the page size limit. Various techniques, includingvarious heuristic techniques, are available for determining the numberof clusters and the size of the sub-ranges to minimize the number ofclusters and maximize the size of the sub-ranges of the clusters. Onetechnique to minimize the number of clusters is to begin with onecluster. When the IP addresses are assigned to the cluster, as soon as(or if) the number of IP addresses assigned to the cluster exceeds thepage size limit, the assigning is stopped, the number of clusters isdoubled (to two) and the assigning begins again. The process stops andthe cluster size is again doubled as soon as the number of IP addressesassigned to any cluster exceeds the page size limit. The process isrepeated until the number of IP addresses assigned to each cluster isless than or equal to the page size limit. With a large number of IPaddresses such a technique may require numerous iterations and arelatively long time.

Another technique assumes that the IP addresses are relatively linearlydistributed and divide the number of IP addresses in the plurality ofaddresses by the page size limit. Thus, for example, if the page sizelimit is 2^10 and the number of IP addresses is 2^16, the number ofclusters is 2^6. If the range is all IPv4 addresses, the range is 2^32.Dividing the range (2^32) by the number of clusters (2^6) indicates thateach cluster has a sub-range of 2^26 IP addresses. According to someembodiments this sub-range is then incremented to the next power of two(i.e., incremented to 2^27 in this example) and the number of clustersis correspondingly decreased by a power of two (i.e. decreased to 2^5 inthis example).

However an initial number of clusters is determined, the iterativetechnique discussed above may be applied to ensure that no cluster has acluster size larger than the page size limit. A flow diagram of theprocess is illustrated in FIG. 3. In the techniques discussed in thepreceding paragraph a linear distribution is assumed. If this assumptionis correct, the number of clusters determined by dividing the number ofIP addresses by the page size limit will result in no cluster having acluster size larger than the page size limit. If however, the IPaddresses are not linearly distributed or possibly if the number ofclusters is decreased by a power of two as discussed above, some of theclusters may have a cluster size greater than the page limit size.According to some embodiments, therefore, the number of clusters isdoubled (increased by a power of two) and the assigning of IP addressesto clusters is restarted when any cluster's cluster size exceeds thepage size limit. The comparison may be done as the IP addresses arebeing assigned to the clusters or after all IP addresses have beenassigned to clusters. Referring again to FIG. 3, at 300 the processbegins with an initial number of clusters. Each cluster has a sub-rangeof a range of IP addresses. The process continues at 302 by determiningif there are any having IP addresses that have not been assigned to acluster. If not, the process is complete at 304 and all IP addresseshave been assigned to clusters. If, however, there are unassigned IPaddresses, the process continues to 306 and the unassigned IP addressesare assigned to the cluster whose sub-range encompasses the unassignedIP address. At 308, the cluster size of the cluster to which theunassigned IP addresses were assigned is compared to the page sizelimit. If the cluster size is not greater than the page size limit, theprocess returns to 302. If the cluster size of the cluster does exceedthe page size limit, at 310 all previously assigned IP addresses areunassigned, the number of clusters is doubled, the size of thesub-ranges is reduced by one-half, and the process returns to 302. Theprocess of stopping, doubling the number of clusters (and decreasing thesize of the sub-ranges) and restarting the assigning of IP addresses toclusters may be repeated until the cluster sizes are all less than orequal to the page size limit. By using this technique and deliberatelystarting with a number of clusters that would result in cluster sizesgreater than the page size limit, the number of clusters can beminimized.

After the IP addresses have been assigned to the appropriate clusters,the clusters may be ordered. The clusters are ordered by cluster size.The ordering may be in order of increasing or decreasing cluster size.Additionally, or alternatively, a cluster list may be created. Thecluster list contains all clusters and their associated data, includingthe IP addresses assigned to each cluster. The clusters may be orderedby cluster size in the cluster list.

The IP addresses in each cluster are assigned to one of a plurality ofpages. In one embodiment, the pages are an array of contiguous memorybytes. Each page has a page size limit defining the maximum number of IPaddresses that can be assigned to that page and a page size defined bythe number of IP addresses assigned to that page. In other embodiments,pages can be implemented in various other ways, such as using binarytrees.

Generally, the page size limit(s) may be any appropriate size. Accordingto some embodiments, however, it is preferred that the page size limitbe a size that will result in a page with a size small enough to bestored in cache memory of a processor with which the page will be used.Such preferred page sizes increase cache locality. Data stored in aprocessor's cache memory may be accessed, manipulated, etc. much fasterthan data stored remote from the processor. Thus, a page size limitsmall enough that a page may be entirely loaded into cache memory mayincrease the speed at which the pages can be searched. Different pagesmay have different page size limits. In some embodiments, however, thepage size limit of each page is the same.

The IP addresses in the clusters may be assigned to pages according tovarious techniques. Initially, at least one page is created. Althoughthe cluster can be simple assigned one cluster to one page, othertechniques may be preferable. Thus, according to some embodiments, theclusters are assigned to pages according to either a first fit or a bestfit algorithm.

Various implementations of first fit algorithms are appropriate and maybe used as part of methods disclosed herein. One example implementationis illustrated by the flow diagram 400 in FIG. 4. When assignedaccording to a first fit algorithm, for each cluster, the existing pagesare searched sequentially, beginning with the first page, to find thefirst page with enough room to hold the IP addresses in the clusterwithout exceeding the page size limit. At 402 the process of assigningIP addresses from each cluster to pages begins. At 404 the processdetermines whether there are any clusters whose IP addresses have notbeen assigned to pages. If there are no such clusters, at 406, theprocess is complete. If there are clusters whose IP addresses have notbeen assigned to pages, the first cluster with unassigned IP addressesis selected at 408 and the existing pages are examined, beginning withthe first page. The process may also begin with the last cluster or anyother appropriate cluster. In the context of this process, the firstpage may be the first page by order, the page with the most IP addresseson the page, the page with the least IP addresses on the page, the lastpage by order, etc. At 410, it is determined whether the cluster's IPaddresses will fit on the retrieved page. If it will, the cluster isassigned to that page at 412 and the process returns to 404. If thecluster's IP addresses will not fit on the page, the process continuesto 414 to determine if there are more existing pages. If there are nomore pages available to examine, a new page is created and the cluster'sIP addresses are assigned to that page at 416 and the process returns to404. If there are additional pages available, the page number to examineis incremented by one, at 418, and the process returns to 410 todetermine if the cluster's IP address will fit on the page.

Various implementations of best fit algorithms are appropriate and maybe used as part of methods disclosed herein. One example implementation500 is illustrated in FIG. 5. When assigned according to a best fitalgorithm, for each cluster, the existing pages are searched todetermine if there is a page with exactly enough room to hold the IPaddresses in the cluster without exceeding the page size limit. Theprocess begins at 502. At 504, the process determines whether there areany clusters whose IP addresses have not been assigned to pages. Ifthere are no such clusters, at 506, the process is complete. If thereare clusters whose IP addresses have not been assigned to pages, thefirst cluster with unassigned IP addresses is selected at 508 and thenumber of IP addresses (referred to in FIG. 5 as X IP addresses)assigned to that cluster (its cluster size) is identified. At 510, theprocess determines if there is an existing page with X empty slots. Thenumber of empty slots, sometimes also referred to herein as freeentries, is the page size limit minus the page size (both expressed innumber of IP addresses) and indicates how many more IP addresses may beassigned to that page without exceeding the page size limit. If there isa page with X empty slots, the cluster's IP addresses are assigned tothat page at 512 and the process returns to 504. If there is no suchpage, the process determines at 514. If not, at 516 a new page iscreated, the cluster's IP addresses are assigned to the new page and theprocess returns to 504. If there are pages with more than X empty slots,X is increased by one at 518 and the process returns to 510.

The assigning of clusters to pages, whether by best fit, first fit, orany other suitable algorithm, continues until each cluster has beenassigned to a page.

According to one embodiment, assignment of IP addresses of the clustersto pages utilizes a cluster list and a page list. As described above,the cluster list contains all clusters and their associated data items.The cluster list is sorted in descending order by the number of entriesin each cluster (i.e. the cluster size). A page list is created thatwill contain pages containing one or more clusters. The page list issorted by the number of free entries (the page size limit minus the pagesize) available for each page. Particularly if a first fit algorithm isbeing used, the page list may be sorted by number of free entries (orempty slots) in ascending order. For each cluster, the cluster isretrieved and the page list is searched for a page that has enough freeentries to hold all the IP addresses in that cluster. This search may beaccording to a first fit algorithm, a best fit algorithm or any othersuitable algorithm. If a page is found with enough free entries, thecluster's IP addresses are assigned to the page and the page list isupdated to reflect the free entries now remaining on the page. If thepage list was ordered by number of free entries, the page list isreordered after each cluster is assigned. If, however, there are nopages with enough free entries, a new page is allocated and the IPaddresses of the first cluster are assigned to the page. The page listis updated to indicate the new page and the number of free entries onthe new page. The process repeats for subsequent clusters until allclusters have been assigned. According to some embodiments, all clustersthat do not include any IP addresses may be assigned to the same page.This page may be page 0, a null page, or any other suitable page. Thisassignment to a null page may speed up searching the IP addresses. Assoon as it is determined that an IP address being search for is in asub-range associated with a cluster assigned to the null page, thesearch can be stopped because the null page includes no IP addresses andtherefore the searched for IP address is not part of the plurality of IPaddresses that have been assigned to the pages.

According to some embodiments, a load factor is determined after all ofthe clusters have been assigned to pages. The load factor is a ratio ofthe sum of the page size limit of the plurality of pages to the numberof IP addresses in the plurality of IP addresses. The load factor may beconsidered the ratio of resources used to amount of data stored. Itrepresents the compactness or efficiency of the pages populated with theIP addresses. The lower the load factor the more compact the populatedpages are. The more pages used for a given number of IP addresses, thehigher the load factor. Similarly, more efficiently populated pages,i.e. pages having page sizes close to or equal to the page size limitwhen populated with the IP addresses, are more likely to result in fewerpages being needed and the load factor may be reduced. If the methodsdisclosed herein are utilized the load factor may be very low. The loadfactor, according to some embodiments, is compared to a load factorthreshold. The load factor threshold can vary based on various factors,including desired speed of processing, amount of memory available in asystem with which the pages will be used, amount of processing poweravailable in a system with which the pages will be used, etc. Accordingto at least one embodiment the load factor threshold is ten percent.According to at least one other embodiment, the load factor threshold isfive percent. If the load factor exceeds the load factor threshold, thepages are not as compact as desired. According to some embodiments, whenthe load factor exceeds the load factor threshold, the number ofclusters is doubled, thereby also decreasing the size of each of thesub-ranges by one-half. The IP addresses are reassigned to the newclusters and the IP addresses in the new clusters assigned to pagesaccording to the methods disclosed above. Because the sub-range of eachnew cluster is one-half what it was previously, most new clusters willhave a smaller cluster size. In many cases, this will permit theclusters to be fit more efficiently into the pages, reducing theunpopulated space in the pages, and decreasing the load factor. If theload factor remains above the load factor threshold, the number ofclusters may again be doubled and this iterative process may continueuntil the load factor is reduced to, or below, the load factorthreshold. Alternatively, or additionally, this process may be repeatedfor a set maximum number of iterations before being stopped. Suchmaximum number of iterations may be useful to prevent the process frombeing repeated too many times and creating more clusters than isdesired.

After the pages have been populated with IP addresses from the clusters,some of the pages may still have free entries remaining. Accordingly, ifone of the pages has a page size less than its page size limit, themethod includes duplicating on that page at least one of the IPaddresses assigned to that page to increase the page size of that page.In some embodiments, the at least one IP address may be duplicated onthe page until the page size is increased to about the page size limit.This duplication of IP addresses to increase the page size to about thepage size limit may be referred to sometimes as padding the pages. Theat least one IP address may be one IP address, possibly repeatedlyduplicated, or it may be multiple IP addresses. The IP address oraddresses to duplicate may be randomly selected or specificallyselected. For example, only the first IP address in a page may beduplicated on the page, only the middle IP address may be duplicated,the IP addresses may be duplicated in order, a single randomly selectedIP address may be duplicated, multiple IP addresses may be randomlyselected and duplicated, etc. In at least one embodiment, the at leastone IP address is a plurality of randomly selected IP addressesduplicated until the page size is about the page size limit.

The method also includes ordering, for each page, the IP addressesassigned to that page by numeric value. This ordering may make searchingthe page easier. Additionally, the padding of the pages, the IPaddresses of which are then ordered by numeric value, may offer somebenefits when the pages are searched. For example, if a page has a pagesize equal to the page size limit, the number of data elements (i.e. IPaddresses) on the page is known. That number of IP addresses is the pagesize limit. Thus, a table lookup may be used during the searching. Themidpoint of the page is a known spot in the page. If a page has 1024 IPaddresses, the midpoint of a padded page is the 512th IP addressregardless of what the values on the page are and regardless of how manydistinct IP addresses are assigned to the page. Additionally, when allpages are so padded and the page size limit of each page is the same,the midpoint of every page is the same. Thus, the midpoint of everypage, and accordingly every subsequent midpoint of the portion above orbelow the midpoint, is a known point, or element, in the page.Particularly using a binary search, sometimes referred to as a divideand conquer search, being able to identify the IP address that is themidpoint without calculation may increase the speed of the search.

According to some embodiments a page record is generated. The pagerecord includes all of the cluster sub-ranges and the page to which theIP addresses in that sub-range are assigned. This data may be arraignedin a tuple of the first numeric value in the sub-range, the last numericvalue in the sub-range and the number of the page with which thesub-range is associated. The page record, however, is not so limited andmay be implemented using any appropriate method of indicating whichsub-range or sub-ranges are associated with each page.

In some embodiments one or more bloom filters may also be created. Bloomfilters are a short-circuit. The bloom filter may be used to identify IPaddresses that are not in the plurality of IP addresses assigned to thepages without actually searching the pages. A separate bloom filter maybe created for each page or a bloom filter may be created for all of thepages. The bloom filter is a bit map having some number of bits, whereeach bit represents a certain number or combination of numbers. Forexample, the first bit of a bloom filter may represent the number 0while the 256th bit represents the number 255. The bloom filter may bemapped to a portion of the IP addresses associated with a page, such asthe bits representing the first decimal number, the last decimal number,etc., such that each bit in the bloom filter is associated with onenumber of the IP address. Alternatively, or additionally, each bit maybe mapped to some combination of numbers of an IP address. Thecombinations of numbers may be the result of a function. Thus, forexample, a bloom filter may represent the first two numbers of an IPaddress exclusive or'd with the last two numbers, or the first numberand'd with the last two numbers, etc. Each bit may be set to a 1 or a 0.If a bit is set to 1, an IP address associated with the page includesthat bits number. Conversely a bit in the bitmap that is set to 0indicates that no IP address on the page includes that bits number. Byway of example, if the IP address 208.77.188.166 is the only numberincluded on a page, all bits of a bloom filter for the first number ofthe IP addresses on the page would be zeros except the 209th bit(representing the number 208), which would be set to 1. In use, bloomfilters may give false positives (i.e. indicate that a number may be ona page when it is in fact not), but not false negatives (i.e. indicatingthat a number is not on a page when in fact it is). Continuing theexample above, if an IP address to be searched for is 208.70.XXX.XXX,the bloom filter indicates that the IP address may be one of the IPaddresses associated with the page (even though it is not in thisexample). Thus the page would still need to be searched to determinethat the address 208.70.XXX.XXX is not an IP address assigned to thepage. Conversely, if the IP address to be searched is 192.XXX.XXX.XXX,by simply looking at the 193 bit of the bloom filter the bloom filterindicates, correctly, that the IP address is not one of the IP addressesassociated with the page. Because bit 193 is a zero, there are no IPaddresses that begin with 192. Accordingly, the page need not besearched. Additionally, a plurality of bloom filters may be used. Eachof the plurality of bloom filters is based on a different number, groupof numbers, function using the numbers, etc. of the IP addresses. Theplurality of bloom filters may be checked sequentially until all bloomfilters indicate that the IP address searched is not within any of thepages, until on of the bloom filters indicates the IP address may be inthe pages, etc. As can be seen, the use of bloom filters may decreasethe amount of time required to determine whether an IP address ispresent within a plurality of IP addresses processed according to thedisclosed methods. This improved performance is particularly notablewhen a large number of IP addresses to be search for will not and/or arenot part of the plurality of IP addresses on the pages.

After one or more of the methods disclosed herein has been performed,the pages containing the IP addresses are ready to be searched. Anycombination of searching the pages directly, searching the page recordto determine on which page to search and/or using the bloom filter todetermine if searching the pages and/or the page record is evennecessary may be used. According to some embodiments, the bloom filteris searched first to determine if an IP address is not an IP addressassociated with one of the pages. If the bloom filter indicates the IPaddress is not an IP address associated with one of the pages, nofurther searching may not be necessary. If the bloom filter indicatesthe IP address may be an IP address associated with one of the pages,the table record may be searched to determine with which page thesub-range encompassing the IP address is associated. After such page isdetermined, the page itself is searched to determine whether the IPaddress is one of the IP addresses assigned to such page.

FIG. 6 illustrate one example process 600 for searching to determine ifan IP address is one of the plurality of IP addresses. In this example,a page record and a null page are used, but no bloom filter is used. At602, the sub-range that encompasses the IP address is determined. Thepage record is searched at 604 to determine which page contains thesub-range encompassing the IP addresses. At 606, whether the pagereturned by the search in 604 is a null page is determined. If thereturned page is a null page, the search is complete at 608 and the IPaddress is not one of the plurality of IP addresses. If the returnedpage is not a null page, the process continues to 610 and the returnedpage is retrieved. The page is then searched for the IP address at 612.If, at 614, the IP address is not on the page, the process is completeat 608 and the IP address is not one of the plurality of IP addresses.If the IP address is on the page, the search is complete at 616 and theIP address is one of the plurality of IP addresses.

The searching according to embodiments discussed herein may be anyappropriate method of searching for a data item. For example the searchmay be a binary search (sometimes referred to as a binary divide andconquer search), a linear search, an interpolation search, a search asdescribed in co-owned U.S. patent application Ser. No. 11/591,802 (nowU.S. Pat. No. 8,077,708), etc. The entire disclosure of theabove-referenced application is incorporated herein by reference for allpurposes

Additionally, or alternatively, the pages created by the methodsdescribed herein and/or the page record may be combined with appropriateinstructions to create an engine for determining whether an input IPaddress is contained in the plurality of IP addresses processedaccording to the methods described above. The engine includes the pageswith their assigned IP addresses, instructions operable to cause aprocessor to search the pages, and a finite state machine (FSM). Theengine may sometimes be referred to as a pre-compiled exception listengine. The FSM includes the page record and instructions operable tocause a processor to search the page record and output an indication ofwhich, if any, page will contain the input IP address if it is present.When an IP address is input to the engine, the FSM searches the pagerecord to identify on which page the sub-range encompassing the input IPaddress is located and outputs an identifier of that page. Theappropriate page is then searched to determine whether the IP address islocated on the page. The engine then outputs a yes or no answer, forexample a 1 or a 0, indicating that the input IP address is or isn't,respectively, one of the plurality of IP addresses. Some or all of theitems discussed above, such as, for example bloom filters, may also, oralternatively, be included in the engine.

A simplified example of the use of the methods described herein will nowbe described with reference to FIG. 7. For simplicity the someintervening steps are not illustrated and will only be described. Forthis example, the plurality of IP addresses 700 will be represented by aset of thirty numbers within a range which is the set of eight bitintegers (i.e., all numbers are between 0 and 255, inclusive). Eachnumber therefore, will have a size of eight bits. The page size limitfor this example is eight IP addresses (or 64 bits). Thus, each clustercan have no more than eight IP addresses assigned to it. A load factorthreshold of 1.5 will be used for this example.

For sake of example, the range is initially divided into only twoclusters. Each cluster has a sub-range of one half the range. The IPaddresses are assigned to the clusters as discussed above. As isapparent, however, there is no way thirty IP addresses can be assignedto two clusters without at least one cluster including more than eightIP addresses. Therefore, the number of clusters is doubled and the sizeof the sub-ranges decreased by one-half. At this point there are fourclusters. The IP addresses are assigned to them as discussed above. Theresult is a first cluster with a sub-range of (0-63) having twelve IPaddresses (2, 3, 5, 11, 13, 33, 34, 41, 45, 50, 51, 60) assigned to it.A second cluster has a sub-range of (64-127) having six IP addresses(65, 66, 82, 83, 84, 85) assigned to it. A third cluster has a sub-rangeof (128-191) having five IP addresses (150, 151, 170, 175, 180) assignedto it. Finally, a fourth cluster has a sub-range of (192-255) havingseven IP addresses (200, 205, 210, 225, 230, 235, 240) assigned to it.The first cluster still contains more than the page size limit of eightIP addresses and will not fit on a page. Therefore, the number ofclusters is again doubled and the size of the sub-ranges is againdecreased by one-half. The IP addresses are reassigned to the newclusters. The result is eight clusters 702-716. Each cluster 702-716 hasa sub-range size of thirty-two possible IP addresses. The sub-range ofeach cluster 702-716 is indicated by SR in FIG. 7. The values of the IPaddresses assigned to each cluster 702-716 are also indicated within thecluster. Finally, the cluster size (labeled as “Size” in each cluster702-716), for each cluster is indicated. For example, the first cluster702 has the sub-range 0 to 31. The IP addresses assigned to the cluster702 are (2, 3, 5, 11 and 13). Thus, the first cluster has a cluster sizeof five.

Because each cluster 702-716 now has a cluster size less than or equalto the page size limit, the IP addresses in each cluster may be assignedto pages 718-724. The clusters are sorted in descending order accordingcluster size. Accordingly, the first cluster is cluster 704, having acluster size of 7, and the last cluster is cluster 708, having a clustersize of 0. In this example, the clusters are assigned according to afirst fit algorithm. Beginning with the largest cluster, cluster 704, apage with enough room to hold all of the IP addresses of cluster 704 issearched for. There are no pages to begin with and, therefore, no pagewith at room for at least seven IP addresses. Accordingly, a page 718 iscreated and the IP addresses from cluster 704 are assigned to it. Thenext largest cluster 706 has a cluster size of six. As the page sizelimit is eight and there are already seven IP addresses assigned to thefirst, and at this point only, page 718, there is not enough room on anyexisting page for the IP addresses of cluster 706. Thus, a second page720 is created and the IP addresses from cluster 706 are assigned to thepage 720. Similarly, neither the first page 718, nor the second page 720has sufficient free entries to hold the IP addresses of the next largestcluster 702. A third page 722 is, therefore, created and the IPaddresses of the cluster 702 are assigned thereto. Again, none of thepages 718, 720 or 722 have enough free entries to hold the four IPaddresses of cluster 716. A fourth page 724 is created, to which the IPaddresses of the cluster 716 are assigned. The next to be assigned iscluster 712, with a cluster size of three. Neither the first page, northe second page has enough room for the three IP addresses of cluster712. The third page 722 however, only contains five IP addresses of theeight that it can hold. Therefore, the IP addresses of cluster 712 canbe, and are, assigned to the third page 722. When the next cluster 714is assigned, the fourth page 724 is the first page having enough freeentries to hold the IP addresses of cluster 714. At this point the firstpage 718 has one free entry, the second page has two free entries, thethird page has zero free entries and the fourth page has one free entry.Cluster 710 is the next largest cluster with two IP addresses. The firstone of the pages 718-724 that can hold the IP addresses in cluster 710is the second page 720, to which the IP addresses are assigned. The lastcluster 708 has no IP addresses and a cluster size of zero. The cluster708 is, therefore, assigned to a null page (which may be page zero),indicating that it includes no IP addresses. All IP addresses in theclusters 702-716 have now been assigned to pages 718-724.

A load factor may be calculated at this point. As discussed above, theload factor is the ratio of the sum of the page size limits to number ofIP addresses in the plurality of IP addresses (or alternatively, butequivalently, to the sum of the page sizes). In this example, the pagesize limit is eight. The sum of the page size limits therefore isthirty-two. The sum of the page sizes and the number of IP addresses inthe plurality of IP addresses 700 is thirty. Thus, the load factor is32/30 or 1.067. This load factor is acceptable (i.e. it is below theload factor threshold of 1.5). If the load factor were above the loadfactor threshold, the number of clusters would be doubled again asdiscussed above and the entire process discussed above is repeated againuntil the load factor is below the load factor threshold.

The IP addresses assigned to each page 718-724 are next sorted innumerical order. The first page 718 and the fourth page 724 have pagesizes (seven in both cases) lass than the page size limit of eight. Foreach page 718, 724 a random IP address is chosen from the IP addressesassigned to that page 718, 724 and duplicated on that page 718, 724. Forthis example, thirty three was duplicated on first page 718, and twohundred ten was duplicated on the fourth page 724. The result is fourpages 726-732 each having a page size equal to the page size limit ofeight.

Either after the IP addresses have been assigned to the pages 726-732 orwhile the IP addresses are being assigned to pages 718-724, a pagerecord may be created. The page record indicates each of the sub-rangesof the clusters 702-716 (typically by starting value and ending value)and the page to which the IP addresses encompassed by that sub-rangewere assigned. The page record can consist of a tuple for each sub-rangeformatted as (start value, end value, page number). Thus, the pagerecord for this example would be: (0,31,3); (32,63, 1); (64,95,2);(96,127,0); (128,159,2); (160,191,3); (192,223,4); (224,255,4). Theplurality of IP addresses 700 may now be searched using the pages726-732 and the page record as discussed above and/or an enginegenerated for searching the plurality of IP addresses.

Although primarily discussed in terms of internet protocol (IP)addresses, the methods disclosed herein is not so limited and may beapplied to other types of data. For example, the methods may be appliedto data such as street addresses, social security numbers, driver'slicense numbers, bank check numbers, etc.

Because of the speed at which very large set of IP addresses may besearched according to the methods presented herein, one use for suchmethods is in connection with network devices (also sometimes referredto as appliances). These devices, including appliances such asfirewalls, routers, servers, etc., may receive packets of data from afirst network and process the packets of data. The processing mayinclude processing internal to the appliance (such as, for example,allowing the packet to cause an application to run on the appliance,cause the appliance to transmit data, files, etc. back to the computeroriginating the packet, etc.) and/or may include passing the packets toa second network. These devices may include rules, policies, etc., forwhether to allow certain packets to be processed or to enter the secondnetwork. For example, a firewall may be located between a network andthe internet. The firewall may wish to block packets originating fromand/or addressed to certain IP addresses. These IP addresses may be theIP addresses of known spammers, hackers, foreign governments, etc.Alternatively, or additionally, these appliances may wish to block allpackets except those originating from certain known IP addresses and/orprocess packets from certain IP addresses differently (such as, forexample, prioritizing transmission of the packets, limiting bandwidth,etc.).

Thus, according to one aspect of the present disclosure, and asillustrated in FIG. 8, a network appliance 800 for connection to a firstnetwork 802 is disclosed. The appliance 800 includes at least one input806 coupled to the first network 802 for receiving a packet from thefirst network 802. The packet includes an internet protocol (IP)address. The appliance 800 also includes at least one processor 808 fordetermining whether to allow the packet from the first network 802 toproceed and at least one memory device 810 storing instructions anddata. The data includes a plurality of pages storing a plurality ofexcepted IP addresses. The excepted IP addresses each has a numericvalue within a range. The range is divided into a plurality ofcontiguous sub-ranges and each page includes one or more of the exceptedIP addresses having numeric values within one or more of the sub-rangesassociated with that page. Each page has a page size defined by thenumber of IP addresses assigned to that page. The excepted IP addressesare assigned to each page ordered by numeric value. The at least oneprocessor 808 is configured via the instructions to identify the IPaddress of the packet from the first network 802, identify a target pagethat will include the IP address if the IP address is one of theplurality of excepted IP addresses, search the target page to determineif the IP address is one of the excepted IP addresses in the targetpage, and process the packet from the first network 802 according towhether the IP address is an excepted IP address in the target page.

The processing the packet according to whether the IP address is anexcepted IP address may include processing internal to the appliance 800and/or may include passing the packets to a second network 804. If theprocessor 808 determines to allow the packet to proceed, processinginternal to the appliance 800 may include allowing the packet to causean application to run on the appliance 800, allowing the packet to causethe appliance 800 to transmit data, files, etc. back to the computeroriginating the packet, etc. Thus, for example, the appliance may be aWeb server, network server, etc. that may determine whether to allow aremote user to access a webpage, run a program stored on the server,view/download files stored on the server, etc. The appliance 800 mayalso include at least one output 812 coupled to a second network 804 fortransmitting the packet from the first network 802 to the second network804 if the processor 808 determines to allow the packet from the firstnetwork 802 to enter the second network 804.

According to another aspect of the present application, a networkappliance 800 for connection to a first network 802 includes at leastone input 806 coupled to the first network 802 for receiving a packetfrom the first network 802. The packet includes an internet protocol(IP) address. The appliance 800 includes at least one processor 808 fordetermining whether to allow the packet from the first network 802 toproceed and at least one memory device 810. The appliance 800 alsoincludes a first engine stored in the memory device 810. The firstengine includes a plurality of pages storing a plurality of excepted IPaddresses. The excepted IP addresses each has a numeric value within arange of numeric values and the range is divided into a plurality ofcontiguous sub-ranges. Each page includes one or more of the excepted IPaddresses having numeric values within one or more of the sub-rangesassociated with that page. Each page has a page size defined by thenumber of excepted IP addresses assigned to that page. The excepted IPaddresses are assigned to each page ordered by numeric value. The firstengine also includes a first finite state machine (FSM). The first FSMincludes instructions executable by the processor 808 to determine thepage associated with the sub-range encompassing the IP address. Theengine includes instructions operable to cause the processor to searchthe page associated with the sub-range encompassing the IP address todetermine if the IP address is an excepted IP address and output anindication of whether the IP address is an excepted IP address. Theprocessor 808 is also configured via instructions stored in the memorydevice 810 to process the packet from the first network 802 according tothe indication from the first engine.

The processing of the packet according to the indication from the firstengine may include processing internal to the appliance 800 and/or mayinclude passing the packets to a second network 804. If the processor808 determines to allow the packet to proceed, processing internal tothe appliance 800 may include allowing the packet to cause anapplication to run on the appliance 800, allowing the packet to causethe appliance 800 to transmit data, files, etc. back to the computeroriginating the packet, etc. Thus, for example, the appliance may be aWeb server, network server, etc. that may determine whether to allow aremote user to access a webpage, run a program stored on the server,view/download files stored on the server, etc. The appliance 800 mayalso include at least one output 812 coupled to the second network 802for transmitting the packet from the first network 802 to the secondnetwork 804 if the processor 808 determines to allow the packet from thefirst network 802 to enter the second network 804 via processing thepacket according to the indication from the first engine.

The processor 808 may include cache memory 814. As discussed above,cache memory resides on the processor 808. Accessing, manipulating,acting upon, etc. data occurs much quicker when the data is stored incache memory 814 than when it is stored in separate memory, such asmemory device 810. For this reason, it may be preferable to have thepage size limit of each page be selected such that the entire page willfit in the cache memory 814.

According to various embodiments, the excepted IP addresses may be IPaddresses to be allowed entry to the second network, denied entry to thesecond network, and/or specially processed. Thus, in some embodiments,if a packet's IP address is an excepted address, the packet is preventedfrom entering the second network. In other embodiments, if a packet's IPaddress is an excepted address, the packet is allowed to enter thesecond network. In still other embodiments, if a packet's IP address isan excepted address, the packet is specially processed, such as beingprioritized, rerouted to a different destination (whether within orwithout the second network), etc. The appliance 800 may operate with twoor more sets of pages and page records and/or more than one engine asdescribed above. For example, one engine may include pages havingexcepted IP addresses that are to be blocked, while a second engineincludes excepted IP addresses to be allowed. There may also be morethan one engine with one type of excepted IP address (e.g., blocked,allowed, special, etc.). Thus, a first engine may include excepted IPaddresses of known hackers, while another engine includes excepted IPaddresses of known spammers. Although only two engines are describedabove, there may be more than two. The engines, when there is more thanone, may be prioritized in any appropriate manner. As one example, if anIP address is found by one engine (A), the appliance may restrictbandwidth available to packets from that IP address. IP addresses foundby another engine (B) may be given high priority and increasedbandwidth. If the IP address of an incoming packet is found by bothengine (A) and engine (B), the appliance may need to apply priorityrules to determine how to handle the packet. For example, engine (B) maybe given highest priority and the packet may be given priority, orengine (A) may be given the higher priority and packets from the IPaddress will be permitted limited bandwidth. Additionally, oralternatively, more complex rules of priority may apply (such as Aprioritized over B except when D is also true, etc.).

In various embodiments some or all of the elements of the methoddiscussed above may be incorporated in or used with the appliance 800.Thus, for example, the data may include a page record. The processor 808may be configured by the instructions to identify the target page bysearching the page record. The processor 808 may be configured by theinstructions to determine that there are no excepted addresses in thesub-range encompassing the IP address by searching the page record. Thedata may also include a null page associated with any sub-rangeencompassing no excepted addresses.

In one example embodiment, the appliance 800 is used by setup by a user(sometimes referred to as an administrator). The user may perform themethod discussed above on a computer that is not the appliance 800. Thepage size limit should be selected such that an entire page will fitwithin the cache memory 814 of the appliance's 800 processor 808. Theresulting pages and page records, or the resulting engines are thenuploaded to the appliance 800 and stored in the at least one memorydevice 810. Alternatively, or additionally, the method may be performedwithin the appliance 800 itself if the appliance 800 has enough memory,processing power, etc. When operating, packets from the first networkhave their IP addresses fed to the engines before being allowed to enterthe second network. As discussed above, the engines will perform thesearching and output an indication of whether the IP address of thepacket is in the pages of the engine (i.e., whether it is an excepted IPaddress). Depending on the result and the configuration of the appliance800, the appliance 800 may allow, block, specially treat, etc. thepacket, it may apply some other action to the packet (such as scanningit, copying it, etc.), or it may input the IP address to another engine.Alternatively, or additionally, the IP address of the packet may besimultaneously input to two or more engines (i.e., parallel processed).

The foregoing description of the embodiments has been provided forpurposes of illustration and description. It is not intended to beexhaustive or to limit the invention. Individual elements or features ofa particular embodiment are generally not limited to that particularembodiment, but, where applicable, are interchangeable and can be usedin a selected embodiment, even if not specifically shown or described.The same may also be varied in many ways. Such variations are not to beregarded as a departure from the invention, and all such modificationsare intended to be included within the scope of the invention.

Internet Protocol Threat Prevention

Aspects of the invention permit blocking high-risk IP connections inreal-time based on IP threat information while allowing users to tailortheir acceptable risk profiles to match the security requirements oftheir network resources. IP threat information provides details relatingto potentially high-risk IP addresses. This information includes, atleast in part, an IP address, a named risk category, and a risk scorecorresponding to a confidence level that the associated IP address isactually a threat within the named category. It is contemplated thatadditional information relating to the IP address may be included. In anembodiment, IP threat information is acquired from one or more providers(e.g., IRIPs) via a real-time feed based on an encoding format, such asXML or JSON, across a communications network. In another embodiment, IPthreat information is acquired from a computer-readable storage medium.

FIG. 9 illustrates a process for assessing threats embodying aspects ofthe present invention. In accordance with aspects of the presentinvention, the process assigns weights to various characteristicsassociated with an IP address and adjusts a risk score for the IPaddress by using a mathematical transformation.

In an embodiment of the present invention, the risk category names aremapped into a set of common category names. As shown in FIG. 9, IPthreat information is acquired from a plurality of IRIPs 902 and thenamed risk category provided by each IRIP is mapped into a commoncategory name at 904. For example, attackers commonly hide theiridentities on the Internet through the use anonymous proxies (i.e.,anonymizers), which makes Internet activity untraceable. Different IRIPsmay label an IP address associated with a named risk categorydifferently, depending upon individual naming conventions. For example,different IRIPs may label an IP address from an anonymizer as a “TorNode,” a “Tor Exit Node,” or a “Tor Anonymizing Node.” To create acommon taxonomy, each of the IRIP category names are mapped to a commoncategory name, for example, a “Tor node.” As another example, IRIPs mayuse category names such as “Anonymizer node,” “Proxy node,” and “Relaynode,” which could be mapped to “Proxy node.” Mapping the differentcategory names from different IRIPs into one common category avoidsproblems with naming conventions or spelling issues within a givencategory. Exemplary categories may include, but are not limited to“Command and Control Sever,” “Known Infected Bot,” “Known spam Source,”“Tor Node,” “Known Compromised or Hostile Host,” “Proxy Host,” “HostPerforming Scanning,” “SSH or other brute forcer,” “Fake AV and ASproducts,” “Distributed Command and Control Nodes,” “Suspicious exe ordropper service,” “Mobile CnC,” and “Mobile Spyware Cnc.”

Preferably, the IP threat information mapped at 904 is stored in a localdatabase. In an embodiment, a timestamp (e.g., the date and time) ofacquisition of the IP threat information is stored in the local databasewith the IP threat information. The date and time may be used for agingout entries. As time passes without additional information about aparticular IP address, the certainty of that particular IP address beinga high risk diminishes. For example, an IRIP may list a particular IPaddress as a high risk consistently over a pre-determined period oftime. That particular high-risk IP address may warrant an assignment ofa higher weighting value compared to other high-risk IP addresses thatare not consistently ranked as a high risk.

Referring further to FIG. 9, a Risk Assessment Mitigation Processor(RAMP) engine 906 assigns weights for various characteristics associatedwith the IP address. Exemplary characteristics for which weights areassigned include, but are not limited to, multiple IRIP characteristics908, source and/or destination characteristics 910, originating countrycharacteristics 912, originating ISP characteristics 914, temporalcharacteristics 916, an autonomous system number (ASN) characteristics918, and multiple category characteristics 920. As explained in greaterdetail below, after the various weighting factors have been assigned tothe IP address, the weighted values are then used by a mathematicaltransform 922 (e.g., a linear transform, an exponential transform, or alogarithmic transform) to apply an adjustment to the risk score. Basedon one or more of the weighted risk category values, aspects of theinvention render a decision or otherwise determine an action. Exemplaryactions include a decision to allow traffic, re-route the traffic, allowthe traffic but make a record of it, etc.

FIG. 10 further illustrates the weighting process for multiple IRIPcharacteristics 908. In an embodiment, each IP address that is acquiredfrom multiple IRIPs is assigned a weighting factor value that has agreater weighting factor value compared to a weighting factor valueassigned to an IP address associated with a single IRIP.

FIG. 11 further illustrates the weighting process for source and/ordestination characteristics 910. A weighting factor in this embodimentis applied to take into account the risk associated with connections toIP addresses originating (i.e., inbound or source) or going to (i.e.,outbound or destination) certain regions. Examples of regions include,but are not limited to geographical areas, such as countries, businesssectors, political divisions, and the like. For instance, an IP addressoriginating in China may have a higher risk than an IP addressoriginating in Canada. In addition, an IP address from a regulatedindustry, such as financial or critical infrastructure, may be lesslikely to pose a risk than an IP address from, for example, theentertainment or real-estate industry. Further, connections from apolitical group that strongly supports pornography or other unfavorablesubjects would be more likely to be the target of an attack by cyberactivists, and would be more likely to be infected than an IP addressfrom a political group that supports religious freedom or otherfavorable subjects.

The weighting process of FIG. 11 combines source and/or destinationweight with the risk score provided by each IRIP provider to derive aweighted risk score that takes into account where the connectionoriginates from (inbound) or terminates at (outbound). In the outbound(i.e., destination) case, for example, malware may be resident on acomputer and running unnoticed in the background. When the malware sendsinformation to an IP address, the risk score of the destination IPaddress is compared against the established acceptable level and theconnection is dropped if the score exceeds the maximum acceptable risklevel.

Moreover, in an embodiment the source and/or destination weightingfactor takes into account geographic proximity instead of or in additionto country filtering. Geographic proximity relates to how close the IPaddress is to other IP addresses that are listed as high-risk. Thismethod is not the same as country filtering, although there may be someoverlap between the two methods. This technique uses mathematicalformulas to determine the proximity of a potentially high-risk IPaddress to the nearest cluster of high risk IP addresses. The distanceto the cluster is combined with the weighted threat score of the clusterto determine the risk for the IP address not associated with thecluster. The closer the IP address is to the cluster, the higher therisk score assigned to the IP address. Beneficially, this geographicproximity method provides better results when the cluster and the IPaddress are close in proximity, but in different countries, such as nearthe border. For example, an IP address located 10 miles from Blaine,Wash., could be associated with clusters located in neighboring citiessuch as Seattle, Wash., United States or Vancouver, British Columbia,Canada. If the cluster is located in Seattle and the IP address islocated in White Rock, British Columbia, Canada, it would not be listedas a threat when a country filter (e.g., the United States) is utilized.However, by using geographic proximity, the existence of the UnitedStates-Canada border between the cluster and the IP address isirrelevant and the IP address would be a higher threat risk given itsproximity to the cluster located in Seattle.

FIG. 12 illustrates the weighting process for originating countrycharacteristics 912 according to an embodiment of the invention. Forinstance, in assigning a weight to an IP address originating from aparticular country, the RAMP engine 906 assigns a greater weighted valueto an IP address originating from a higher risk country, such as China,compared to an IP address originating from a lower risk country, such asCanada.

In FIG. 13, the weighting process for originating ISP characteristics914 embodying aspects of the invention considers the ISP's threatexperience. For example, RAMP 906 may take into account the riskassociated with connections originating from a particular ISP that has ahigh number of IP addresses that consistently appear on IP threat feeds,which indicates that the ISP does not enforce adequate restrictionspreventing its IP address space from being used for a malicious purpose.Therefore, the ISP is weighted according to, for example, itsreliability to assess a particular IP address as a threat.

FIG. 14 further illustrates the weighting process for temporalcharacteristics 916. In an embodiment, RAMP engine 906 determines howoften the IP address in question has been listed as a high risk over apredefined time interval and compares that number to a predefinedthreshold value. When the number of times the IP address has been listedas high-risk over the time interval exceeds the threshold value, afrequent weighting value w₁, w₂, . . . , w_(n) is assigned to the riskscore, where w_(i)>0 and w_(i)<2, yielding ±100%. When the number oftimes the IP address has been listed as high-risk over the time intervaldoes not exceed the threshold value a “not frequent” weighting value isassigned to the risk score. In another embodiment, RAMP engine 906determines the time interval since the IP address was previously listedas being a high risk. A time interval weighting value is assigned to therisk score that is proportional to the determined time interval.

Referring now to FIG. 15, a plurality of IRIPs may list a certain IPaddress in more than one named risk category. The exemplary weightingprocess for multiple category characteristics 920 accounts for thissituation. For example, one IRIP may list a particular IP address asspam, whereas another IRIP may list the same IP address as both spam anda Tor Exit Node. In an embodiment, RAMP engine 906 determines whetherthe IP address is listed in more than one named risk category andassigns a “multiple” weighting value when it is listed in more than onecategory and assigns a “not multiple” weighting value when it is notlisted in more than one category. Further, the RAMP engine may assign amultiple category weighting value that is proportional to the number ofnamed risk categories in which the IP address has been listed.

Referring again to the embodiment illustrated by FIG. 17, after thevarious weighting factors have been assigned to the IP address, theweighted values are then used by the mathematical transform 922 (e.g., alinear transform, an exponential transform, or a logarithmic transform)to apply an adjustment to the risk score.

The exemplary flow diagram illustrated in FIGS. 16A and 16B shows thatafter the mathematical transformation, all IP addresses in a named riskcategory are aggregated to determine an aggregate risk score. Anacceptable risk level is received and used to determine if the aggregaterisk score for the category is less than the acceptable risk level forthe category. Based on the aggregate risk score, aspects of theinvention render a decision or otherwise determine an action. Exemplaryactions include a decision to allow traffic, re-route the traffic, allowthe traffic but make a record of it, etc. In one embodiment, when theaggregate risk score is less than the acceptable risk level,communications from IP addresses included in the aggregate risk scoreare allowed to pass through a network firewall. When the aggregate riskscore is greater than or equal to the acceptable risk level,communications from IP addresses included in the aggregate risk scoreare not allowed to pass through a network firewall. It is to beunderstood that any combination of weighted risk scores can beaggregated.

FIG. 17 illustrates an exemplary graphical user interface (GUI) inaccordance with an embodiment of the invention. The user interface ofFIG. 17 allows a user to enter and edit information relating to an IPthreat information provider, such as an IRIP. The entering and editingof information allows IP threat information providers to be added to alist of providers from which IP threat information is acquired.Exemplary information that may be entered and/or edited includes a nameof an IP threat information provider, a provider ID, a provider uniformresource locator or IP address, a cryptographic key, a securitycertificate, and/or IP threat information acquisition preferences.

FIG. 18 illustrates an exemplary GUI in accordance with an embodiment ofthe invention. The user interface of FIG. 18 displays IP threatinformation providers for which a user has entered information. Thedisplay allows a user to quickly determine which IP threat informationproviders are currently being utilized and information associated withthose providers. Exemplary information that may be displayed includes aprovider active status, a provider name, a provider ID, and IP threatinformation acquisition details. The display also allows a user to entercommands to perform certain actions. Exemplary actions includeactivating the threat information acquired from a certain provider,editing provider information, deleting a provider, and reacquiring IPthreat information from the provider.

FIGS. 19 and 20 each illustrate an exemplary GUI in accordance with anembodiment of the invention. In each, GUI displays to a user a pluralityof named risk categories, provides a series of “slider” input controlsor the like, and provides a range of weighted values corresponding toeach named risk category. In an embodiment, the user can select aparticular risk category and move the slider control corresponding tothat category to a particular weight value (e.g., ranging from 0 to 100)that becomes the acceptable risk level for that category. Preferably,the user is also provided a default weight value that can be used as areference to determine if the weight value for a selected categoryshould be increased or decreased based on a current risk assessment asprovided by the IRIPs. It is contemplated that other control means couldbe used to input and assign the weight values, including “spinners,”“gauges,” text entry fields, and like input methods.

Each IRIP may use different numerical values for assigning confidence toeach IP address. The numerical values are normalized before being mappedto the slider positions. The assigned weights are used in thecalculation of composite scores from all IRIP data, which is then storedin RAMP engine 906.

In an embodiment, a second set of slider controls are used to set arequired confidence level to block connections. For example, there isone slider for each defined category of risk. The user can set a defaultacceptable risk score for each category, and the user may also setunique levels for each protected resource in their network. If an IPaddress is stored in the RAMP engine, and the stored confidence level isgreater than the value set by using the slider, the connections to/fromthe network resource are blocked.

Referring further to RAMP engine 906, processing each IP packet (e.g.,either an IPv4 or IPv6 IP address) against the assigned risk databaseutilizes a high-performance look-up engine such as RAMP engine 906. TheRAMP engine 906 embodying aspects of the invention is capable updates inreal time with a feed of IP addresses.

To protect multiple network resources where each resource has adifferent risk profile, RAMP engine 906 must be able to edit a ““list””of IP addresses stored in memory without recompilation. Storing a riskconfidence score (e.g., an aggregate risk score) for each risk categoryallows RAMP engine 906 to be used to protect multiple network resources,with each protected resource having a different acceptable risk profilethat is acceptable to the user.

Methods for sorting a plurality of IP addresses are known in the art.One known method uses Bloom filters to quickly determine whether an IPaddress is not stored in a data store (e.g., memory or a database).Bloom filters can be used to improve look up speeds, but a Bloom filtermust be rewritten if a data entry (e.g., blocked IP address) is removedfrom the data store. For instance, when using a Bloom filter there is nomechanism for deleting an entry (e.g., IP address) from the data storewithout recompiling the entire IP address list minus the entry to bedeleted. The RAMP engine 906 uses a Bloom filter, for example, to takeadvantage of faster access time, and include a grouping of confidencescores that are assigned to each IP address. Typically, storing both theconfidence scores with each IP address would require 32-bits of storageto access 8 bits of data (for data alignment requirements), which wouldtypically require doubling the storage requirements and also doublingthe chance of a cache miss.

Aspects of the present invention speed access times by using an index toeach IP address and using the same index to access a confidence score.For example, by mapping a confidence score with an IP address, thedisclosed threat assessment process is able to store the data itemsseparately allowing for better memory utilization and a higher cache hitratio. Thus, an IP address can be effectively removed by a filteringdecision based on a confidence score stored in the database, withoutrebuilding any data stores or recompiling. In this manner, RAMP engine906 can store the confidence rating, use an index to map IP addresses,and in an embodiment, use a Bloom filter without recompiling an entireIP address list. When new IP addresses arrive via the real-time feed,the new IP addresses are stored in a secondary store and may beprocessed by the RAMP engine by the RAMP engine replacing the old datastore with the secondary store, and then discarding the secondary store.

Embodiments of the present invention may comprise a special purposecomputer including a variety of computer hardware, as described ingreater detail below.

Embodiments within the scope of the present invention also includecomputer-readable media for carrying or having computer-executableinstructions or data structures stored thereon. Such computer-readablemedia can be any available media that can be accessed by a specialpurpose computer. By way of example, and not limitation, suchcomputer-readable media can comprise RAM, ROM, EEPROM, CD-ROM or otheroptical disk storage, magnetic disk storage, or other magnetic storagedevices, or any other medium that can be used to carry or store desiredprogram code means in the form of computer-executable instructions ordata structures and that can be accessed by a special purpose computer.When information is transferred or provided over a network or anothercommunications connection (either hardwired, wireless, or a combinationof hardwired or wireless) to a computer, the computer properly views theconnection as a computer-readable medium. Thus, any such a connection isproperly termed a computer-readable medium. Combinations of the aboveshould also be included within the scope of computer-readable media.Computer-executable instructions comprise, for example, instructions anddata which cause a special purpose computer, or special purposeprocessing device to perform a certain function or group of functions.

The following discussion is intended to provide a brief, generaldescription of a suitable computing environment in which aspects of theinvention may be implemented. Although not required, aspects of theinvention will be described in the general context ofcomputer-executable instructions, such as program modules, beingexecuted by computers in network environments. Generally, programmodules include routines, programs, objects, components, datastructures, etc. that perform particular tasks or implement particularabstract data types. Computer-executable instructions, associated datastructures, and program modules represent examples of the program codemeans for executing steps of the methods disclosed herein. Theparticular sequence of such executable instructions or associated datastructures represent examples of corresponding acts for implementing thefunctions described in such steps.

Those skilled in the art will appreciate that aspects of the inventionmay be practiced in network computing environments with many types ofcomputer system configurations, including personal computers, hand-helddevices, multi-processor systems, microprocessor-based or programmableconsumer electronics, network PCs, minicomputers, mainframe computers,and the like. Aspects of the invention may also be practiced indistributed computing environments where tasks are performed by localand remote processing devices that are linked (either by hardwiredlinks, wireless links, or by a combination of hardwired or wirelesslinks) through a communications network. In a distributed computingenvironment, program modules may be located in both local and remotememory storage devices, including memory storage devices.

An exemplary system for implementing aspects of the invention includes aspecial purpose computing device in the form of a computing device,including a processing unit, a system memory, and a system bus thatcouples various system components including the system memory to theprocessing unit. The system bus may be any of several types of busstructures including a memory bus or memory controller, a peripheralbus, and a local bus using any of a variety of bus architectures. Thesystem memory includes read only memory (ROM) and random access memory(RAM). A basic input/output system (BIOS), containing the basic routinesthat help transfer information between elements within the computer,such as during start-up, may be stored in ROM. Further, the computer mayinclude any device (e.g., computer, laptop, tablet, PDA, cell phone,mobile phone, a smart television, and the like) that is capable ofreceiving or transmitting an IP address wirelessly to or from theinternet.

The computer may also include a magnetic hard disk drive for readingfrom and writing to a magnetic hard disk, a magnetic disk drive forreading from or writing to a removable magnetic disk, and an opticaldisk drive for reading from or writing to removable optical disk such asa CD-ROM or other optical media. The magnetic hard disk drive, magneticdisk drive, and optical disk drive are connected to the system bus by ahard disk drive interface, a magnetic disk drive-interface, and anoptical drive interface, respectively. The drives and their associatedcomputer-readable media provide nonvolatile storage ofcomputer-executable instructions, data structures, program modules, andother data for the computer. Although the exemplary environmentdescribed herein employs a magnetic hard disk, a removable magneticdisk, and a removable optical disk, other types of computer readablemedia for storing data can be used, including magnetic cassettes, flashmemory cards, digital video disks, Bernoulli cartridges, RAMs, ROMs,solid state drives (SSDs), and the like.

The computer typically includes a variety of computer readable media.Computer readable media can be any available media that can be accessedby the computer and includes both volatile and nonvolatile media,removable and non-removable media. By way of example, and notlimitation, computer readable media may comprise computer storage mediaand communication media. Computer storage media includes both volatileand nonvolatile, removable and non-removable media implemented in anymethod or technology for storage of information such as computerreadable instructions, data structures, program modules or other data.Computer storage media is non-transitory and includes, but is notlimited to, RAM, ROM, EEPROM, flash memory or other memory technology,CD-ROM, digital versatile disks (DVD) or other optical disk storage,SSDs, magnetic cassettes, magnetic tape, magnetic disk storage or othermagnetic storage devices, or any other medium which can be used to storethe desired non-transitory information, which can accessed by thecomputer. Alternatively, communication media typically embodies computerreadable instructions, data structures, program modules or other data ina modulated data signal such as a carrier wave or other transportmechanism and includes any information delivery media.

Program code means comprising one or more program modules may be storedon the hard disk, magnetic disk, optical disk, ROM, and/or RAM,including an operating system, one or more application programs, otherprogram modules, and program data. A user may enter commands andinformation into the computer through a keyboard, pointing device, orother input devices (not shown), such as a microphone, joy stick, gamepad, satellite dish, scanner, or the like. These and other input devicesare often connected to the processing unit through a serial portinterface coupled to the system bus. Alternatively, the input devicesmay be connected by other interfaces, such as a parallel port, a gameport, or a universal serial bus (USB). A monitor or another displaydevice is also connected to the system bus via an interface, such as avideo adapter. In addition to the monitor, personal computers typicallyinclude other peripheral output devices (not shown), such as speakersand printers.

One or more aspects of the invention may be embodied in data and/orcomputer-executable or processor-executable instructions (i.e.,software), routine or function stored in system memory or non-volatilememory as application programs, program modules and/or program data. Thesoftware may alternatively be stored remotely, such as on a remotecomputer with remote application programs. Generally, program modulesinclude routines, programs, objects, components, data structures, etc.that perform particular tasks or implement particular abstract datatypes when executed by a processor in a computer or other device. Thecomputer executable instructions may be stored on one or more tangible,non-transitory computer-readable storage media (e.g., hard disk, opticaldisk, removable storage media, solid state memory, RAM, etc.) andexecuted by one or more processors or other devices. As will beappreciated by one of skill in the art, the functionality of the programmodules may be combined or distributed as desired in variousembodiments. In addition, the functionality may be embodied in whole orin part in firmware or hardware equivalents such as integrated circuits,application specific integrated circuits, field programmable gate arrays(FPGA), and the like.

The computer may operate in a networked environment using logicalconnections to one or more remote computers. The remote computers mayeach be another personal computer, a tablet, a PDA, a server, a router,a network PC, a peer device or other common network node, and typicallyinclude many or all of the elements described above relative to thecomputer. The logical connections include a local area network (LAN) anda wide area network (WAN) that are presented here by way of example andnot limitation. Such networking environments are commonplace inoffice-wide or enterprise-wide computer networks, intranets and theInternet.

When used in a LAN networking environment, the computer is connected tothe local network through a network interface or adapter. When used in aWAN networking environment, the computer may include a modem, a wirelesslink, or other means for establishing communications over the wide areanetwork, such as the Internet. The modem, which may be internal orexternal, is connected to the system bus via the serial port interface.In a networked environment, program modules depicted relative to thecomputer, or portions thereof, may be stored in the remote memorystorage device. It will be appreciated that the network connectionsshown are exemplary and other means of establishing communications overthe wide area network may be used.

Preferably, computer-executable instructions are stored in a memory,such as hard disk drive, and executed by the computer. Advantageously,the computer processor has the capability to perform all operations(e.g., execute computer-executable instructions) in real-time.

In operation, a system embodying aspects of the invention determines anaggregate risk score for a plurality of IP addresses. In doing so, thesystem receives a plurality of IP addresses from one or more internetrisk intelligence providers (IRIPs) for a particular category,determines if the one or more received IP addresses are associated withmore than one category, and determines source characteristics for eachof the received IP addresses for a category. Moreover, the systemassigns a weighting factor to each of the source characteristics foreach category, adjusts a confidence level for each of the received IPaddresses by using a mathematical transform based on the weightingfactors for each category, and determines an aggregate risk score forall the IP addresses based on the adjusted confidence levels. Dependingon a risk level for each category that is acceptable to the user, thesystem compares the aggregate risk score with the received acceptablerisk level from the user and allows IP addresses having an acceptablerisk level to pass through the network's firewall.

The order of execution or performance of the operations in embodimentsof the invention illustrated and described herein is not essential,unless otherwise specified. That is, the operations may be performed inany order, unless otherwise specified, and embodiments of the inventionmay include additional or fewer operations than those disclosed herein.For example, it is contemplated that executing or performing aparticular operation before, contemporaneously with, or after anotheroperation is within the scope of aspects of the invention.

Embodiments of the invention may be implemented with computer-executableinstructions. The computer-executable instructions may be organized intoone or more computer-executable components or modules. Aspects of theinvention may be implemented with any number and organization of suchcomponents or modules. For example, aspects of the invention are notlimited to the specific computer-executable instructions or the specificcomponents or modules illustrated in the figures and described herein.Other embodiments of the invention may include differentcomputer-executable instructions or components having more or lessfunctionality than illustrated and described herein.

When introducing elements of aspects of the invention or the embodimentsthereof, the articles “a,” “an,” “the,” and “said” are intended to meanthat there are one or more of the elements. The terms “comprising,”“including,” and “having” are intended to be inclusive and mean thatthere may be additional elements other than the listed elements.

Having described aspects of the invention in detail, it will be apparentthat modifications and variations are possible without departing fromthe scope of aspects of the invention as defined in the appended claims.As various changes could be made in the above constructions, products,and methods without departing from the scope of aspects of theinvention, it is intended that all matter contained in the abovedescription and shown in the accompanying drawings shall be interpretedas illustrative and not in a limiting sense.

What is claimed is:
 1. A computer network firewall system comprising: atleast one tangible, non-transitory a computer-readable medium storingprocessor-executable instructions; a threat assessment processorprogrammed to execute the instructions, wherein the instructions, whenexecuted by the processor, configure the firewall system to: acquire aplurality of threat information from one or more internet riskintelligence providers (IRIPs) via a computer communications network;store the plurality of threat information on the computer-readablemedium, the threat information including an IP address, a risk categoryassociated with the IP address, and a risk confidence level associatedwith the IP address, the threat information further including adetermination of geographic proximity characteristics associated withthe IP address in relation to geographic proximity characteristicsassociated with one or more other IP addresses having risk confidencelevels exceeding a threshold level; determine a risk category valueassociated with the IP address as a function of: the risk confidencelevel stored on the computer-readable medium, and timing informationstored on the computer-readable medium, the timing informationcomprising: a number of instances the risk confidence level has exceededthe risk category acceptance level during a first time interval, and asecond time interval representing the elapsed time since the riskconfidence level previously exceeded the risk category acceptance level;and block computer network communications with a computing deviceassociated with the IP address when the risk category value is greaterthan or equal to a risk category acceptance level.
 2. The computernetwork firewall system of claim 1, wherein the timing information isbased on a timestamp corresponding to the acquisition of the pluralityof threat information on the computer-readable medium.
 3. The computernetwork firewall system of claim 1, wherein the instructions, whenexecuted by the processor, further configure the firewall system to:receive the risk category acceptance level from a user via a graphicaluser interface; compare the risk category value to the risk categoryacceptance level; and allow communications with the computing deviceassociated with the IP address when the risk category value is less thanthe risk category acceptance level.
 4. The computer network firewallsystem of claim 1, wherein the threat information further includes adetermination of whether the IP address is acquired from more than oneIRIP and wherein the instructions, when executed by the processor,further configure the firewall system to adjust the risk category valueassociated with the IP address as a function of a multiple IRIPweighting factor when the IP address is acquired from more than oneIRIP, the multiple IRIP weighting factor increasing the risk categoryvalue.
 5. The computer network firewall system of claim 1, wherein thethreat information further includes a determination of whether the IPaddress is associated with more than one risk category and wherein theinstructions, when executed by the processor, further configure thefirewall system to adjust the risk category value associated with the IPaddress as a function of a multiple category weighting factor when theIP address is associated with more than one risk category, the multiplecategory weighting factor increasing the risk category value.
 6. Thecomputer network firewall system of claim 1, wherein the threatinformation further includes a determination of source characteristicsand destination characteristics associated with the IP address andwherein the instructions, when executed by the processor, furtherconfigure the firewall system to adjust the risk category valueassociated with the IP address as a function of a source/destinationweighting factor corresponding to the source characteristics and thedestination characteristics.
 7. The computer network firewall system ofclaim 6, wherein the source characteristics and the destinationcharacteristics comprise at least one of: a geographic area, a country,a business sector, an industrial sector, and a political region.
 8. Thecomputer network firewall system of claim 1, wherein the threatinformation further includes a determination of Internet ServiceProvider (ISP) characteristics associated with the IP address andwherein the instructions, when executed by the processor, furtherconfigure the firewall system to adjust the risk category valueassociated with the IP address as a function of an ISP weighting factorcorresponding to the ISP characteristics, the ISP weighting factorincreasing the risk category value.
 9. A computer network firewallsystem comprising: at least one tangible, non-transitory acomputer-readable medium storing processor-executable instructions; athreat assessment processor programmed to execute the instructions,wherein the instructions, when executed by the processor, configure thefirewall system to: acquire a plurality of threat information from oneor more internet risk intelligence providers (IRIPs) via a computercommunications network; store the plurality of threat information on thecomputer-readable medium, the threat information including an IPaddress, a risk category associated with the IP address, and a riskconfidence level associated with the IP address, the threat informationfurther including a determination of source characteristics anddestination characteristics associated with the IP address; determine arisk category value associated with the IP address as a function of: therisk confidence level stored on the computer-readable medium, and timinginformation stored on the computer-readable medium, the timinginformation comprising: a number of instances the risk confidence levelhas exceeded the risk category acceptance level during a first timeinterval, and a second time interval representing the elapsed time sincethe risk confidence level previously exceeded the risk categoryacceptance level; adjust the risk category value associated with the IPaddress as a function of a source/destination weighting factorcorresponding to the source characteristics and the destinationcharacteristics; and block computer network communications with acomputing device associated with the IP address when the risk categoryvalue is greater than or equal to a risk category acceptance level. 10.The computer network firewall system of claim 9, wherein the timinginformation is based on a timestamp corresponding to the acquisition ofthe plurality of threat information on the computer-readable medium. 11.The computer network firewall system of claim 9, wherein theinstructions, when executed by the processor, further configure thefirewall system to: receive the risk category acceptance level from auser via a graphical user interface; compare the risk category value tothe risk category acceptance level; and allow communications with thecomputing device associated with the IP address when the risk categoryvalue is less than the risk category acceptance level.
 12. The computernetwork firewall system of claim 9, wherein the threat informationfurther includes a determination of whether the IP address is acquiredfrom more than one IRIP and wherein the instructions, when executed bythe processor, further configure the firewall system to adjust the riskcategory value associated with the IP address as a function of amultiple IRIP weighting factor when the IP address is acquired from morethan one IRIP, the multiple IRIP weighting factor increasing the riskcategory value.
 13. The computer network firewall system of claim 9,wherein the threat information further includes a determination ofwhether the IP address is associated with more than one risk categoryand wherein the instructions, when executed by the processor, furtherconfigure the firewall system to adjust the risk category valueassociated with the IP address as a function of a multiple categoryweighting factor when the IP address is associated with more than onerisk category, the multiple category weighting factor increasing therisk category value.
 14. The computer network firewall system of claim9, wherein the source characteristics and the destinationcharacteristics comprise at least one of: a geographic area, a country,a business sector, an industrial sector, and a political region.
 15. Thecomputer network firewall system of claim 9, wherein the threatinformation further includes a determination of Internet ServiceProvider (ISP) characteristics associated with the IP address andwherein the instructions, when executed by the processor, furtherconfigure the firewall system to adjust the risk category valueassociated with the IP address as a function of an ISP weighting factorcorresponding to the ISP characteristics, the ISP weighting factorincreasing the risk category value.
 16. The computer network firewallsystem of claim 9, wherein the threat information further includes adetermination of geographic proximity characteristics associated withthe IP address in relation to geographic proximity characteristicsassociated with one or more other IP addresses having risk confidencelevels exceeding the threshold level and wherein the instructions, whenexecuted by the processor, further configure the firewall system toadjust the risk category value associated with the IP address as afunction of a geographic weighting factor corresponding to thegeographic proximity characteristics associated with the IP address, thegeographic weighting factor increasing the risk value.
 17. A system forprotecting a network from a security threat in real-time, the systemcomprising: a memory storing a plurality of Internet Protocol (IP)addresses, timing information associated with each of the plurality ofIP addresses, a risk category associated with each of the plurality ofIP addresses, a risk confidence level associated with each of theplurality of IP addresses, and a plurality of threat information, thethreat information including a determination of source characteristicsand destination characteristics associated with each of the plurality ofIP addresses; a graphical user interface (GUI) for displaying aplurality of risk categories associated with the plurality of IPaddresses on a display, and for receiving input from a user, the inputincluding a risk acceptance level for each of the plurality of riskcategories; a non-transitory computer-readable storage medium havingstored thereon computer processor-executable instructions; a threatprocessor executing the computer-executable instructions, saidinstructions comprising: receiving a plurality of IP addressesassociated with a particular risk category from one or more internetrisk intelligence providers; when the one or more received IP addressesare associated with more than one risk category, assigning asource/destination weighting factor for each risk category based on thesource characteristics and the destination characteristics associatedwith the received IP addresses associated therewith; adjusting aconfidence level for each of the received IP addresses based on thesource/destination weighting factor for each risk category; determiningan aggregate risk score for all the IP addresses based on the adjustedconfidence levels; storing the aggregate risk score in a memory device;receiving an acceptable risk level for each category from the user,wherein the aggregate risk score is a function of a number of instancesthe risk confidence level for each of the received IP addresses hasexceeded the acceptable risk level during a time interval based on thetiming information associated therewith; comparing the stored aggregaterisk score with the received acceptable risk level from the user; andallowing communications from any IP addresses having an acceptable risklevel to pass through the network's firewall.